I found an interesting VBScript sample that is a perfect textbook case for training or learning purposes. It implements a nice obfuscation technique as well as many classic sandbox detection mechanisms. The script is a dropper: it extracts from its code a DLL that will be loaded if the script is running outside of a sandbox. Its current VT score is 25/57 (SHA256: 29d3955048f21411a869d87fb8dc2b22ff6b6609dd2d95b7ae8d269da7c8cc3d)[1].

Let’s first have a look at the sandbox detection tricks. A bunch of functions is called one by one. First, the number of CPU (cores) is tested:

(Note: the code has been deobfuscated and beautified)

Function CheckAvailableCPUs()
TnHWRZVH=Cint("0")
Set VRfvQEHCs=GetObject("winmgmts:\\.\root\cimv2")
Set uxSpQuH=VRfvQEHCs.ExecQuery("Select * from Win32_Processor", , Cint("48"))
For Each XqDiZDh In uxSpQuH
If XqDiZDh.NumberOfCores < Cint("2") Then
TnHWRZVH=True
End If
Next
If TnHWRZVH Then
WaitSeconds
Else
End If
End Function

Having only one core in 2020 is indeed suspicious. Even entry-level computers have at least a dual-core CPU.

Then, the available memory and disk storage are tested in the same way using WMI:

Function CheckAvailableMemory()
Set VRfvQEHCs=GetObject("winmgmts:\\.\oot\cimv2")
Set uxSpQuH=VRfvQEHCs.ExecQuery("Select * from Win32_ComputerSystem")
For Each XqDiZDh In uxSpQuH
zhlOwdMZ=zhlOwdMZ+Int((XqDiZDh.TotalPhysicalMemory) / CLng("1048576"))+Cint("1")
Next
If zhlOwdMZ < Cint("1024") Then
WaitSeconds
WaitSeconds
End If
End Function

1GB is really not relevant today! And the available disk storage:

Function CheckAvailableStorage()
Set VRfvQEHCs=GetObject("winmgmts:\\.\root\cimv2")
Set uxSpQuH=VRfvQEHCs.ExecQuery("Select * from Win32_LogicalDisk")
For Each XqDiZDh In uxSpQuH
zhlOwdMZ=zhlOwdMZ+Int(XqDiZDh.Size / Clng("1073741824"))
Next
If zhlOwdMZ < Cint("60") Then
WaitSeconds
End If
End Function

60GB is a bare minimum for the script to continue.

Then, it tries also to detect suspicious running processes. The list is quite interesting and contains most of the tools used by reversers, security analysts or in sandboxes:

Note that some of them are not security tools (ex: totalcmd.exe) but may reflect a system used by a power-user or a system admin.

In all the functions above, you can see calls to another function ‘WaitSeconds’. It just pauses the script. I presume that the goal is to slow down the execution to try to reach the sandbox timeout. This means that the script execution will be automatically be suspended (without a suspicious “exit”).

Now, let’s have a look at the encoding used to hide the malicious DLL file. The main function used for this purpose looks like this:

The DLL has a score of 38/68 (SHA256:342dc3cd2e1a91179f74df7bdb0fe68fe5de43063821dd4152b7b00d19244eed)[2].

This script executed perfectly in my sandbox and the DLL was dumped and loaded. But I like to check deeper and understand the obfuscation techniques created by malware developers. I found this one interesting to share with our readers.